How we take down malicious Visual Studio Code extensions

Checkmarx Zero identified and disclosed three malicious VS Code extensions (automatedlogic.automatedlogic, automated1ogic.automated1ogic, webctrl.live) published May 2024 that typosquatted the Automated Logic/WebCTRL brand; the extensions auto-activated, collected host metadata and exfiltrated it to hard-coded HTTP endpoints (IPs: 45.76.218.40:61031 and 45.76.218.40:10442), and one contained a commented downloader capable of fetching and executing remote payloads; Microsoft removed the extensions after reporting in September 2025.